DPDP Act 2023 Section 9 — Data Erasure Obligations When Retiring IT Equipment

India’s Digital Personal Data Protection Act 2023 introduced a specific obligation that most IT managers and DPOs have overlooked: the requirement to permanently erase personal data from devices before they are retired or disposed.

This obligation sits in Section 9 of the Act — and it has direct implications for how Indian companies handle old laptops, computers, servers, and phones.

What Section 9 of the DPDP Act 2023 Says

Section 9 addresses the role of Data Processors — entities that process personal data on behalf of data fiduciaries. It requires:

“The Data Processor shall process personal data only in accordance with the instructions of the Data Fiduciary… and shall implement such technical and organisational measures as may be prescribed.”

But the section that directly impacts IT disposal is Section 8(7):

“A Data Fiduciary shall, upon the Data Principal ceasing to avail the services, or voluntarily withdrawing consent or on completion of the specified purpose… ensure erasure of personal data of such Data Principal.”

The “completion of the specified purpose” includes when devices are being retired. When a laptop that contained customer records is taken out of service, the purpose of processing that customer’s data is complete. Section 8(7) requires the data to be erased.

Who is a “Data Fiduciary”?

A data fiduciary is any entity — including a company, government body, or individual — that determines the purpose and means of processing personal data. Under this broad definition:

  • An IT company that stores client data on employee laptops is a data fiduciary
  • A hospital that stores patient records on computers is a data fiduciary
  • A bank that processes customer KYC data is a data fiduciary
  • A recruitment firm that stores resumes is a data fiduciary
  • Even a small business with a customer database is a data fiduciary

If your company processes personal data about customers, employees, or third parties in any digital form, you are a data fiduciary. Your obligations under Section 8(7) apply every time you retire a device that has handled that data.

The Specific Obligation for IT Asset Disposal

When your company retires an IT device that has been used to process personal data:

  1. The data must be erased before the device leaves your control — selling it to someone else without erasing the data transfers your liability, but does not satisfy the obligation.

  2. Erasure must be permanent and verifiable — file deletion, Recycle Bin clearing, and even standard factory resets do not qualify. The Act requires erasure that prevents recovery. NIST 800-88 certified destruction is the accepted technical standard.

  3. You must be able to prove erasure occurred — the Act requires data fiduciaries to maintain records. A Certificate of Destruction from an authorized vendor, per device, per serial number, is your proof.

  4. Engaging a processor to dispose devices doesn’t relieve your obligation — if you engage an ITAD company to dispose devices, that company becomes a data processor. You must ensure they have appropriate technical measures (i.e., NIST-certified destruction). A contract clause alone is insufficient — you need the certificate of destruction.

Why Factory Reset Is Not Enough

This is the most common compliance gap. IT teams routinely factory reset devices before disposal and consider the obligation met. It is not.

When Windows resets a device, it marks file system sectors as “available” and removes directory pointers — but the underlying binary data remains on the drive. Free tools like Recuva, PhotoRec, or TestDisk can recover:

  • Browser-saved passwords and session tokens
  • Email archives and calendar entries
  • Locally cached copies of cloud documents
  • Database files from CRM, HR, or ERP software
  • SSH keys and VPN certificates
  • Complete file structures including recently deleted documents

For SSDs, factory reset behaviour varies by manufacturer. Some SSD controllers do not overwrite all cells during reset — wear-levelling algorithms actively preserve some data. A factory reset on an SSD can leave 15–40% of data recoverable depending on the drive.

The DPDP Act obligation is not satisfied by factory reset. It requires permanent erasure — which means NIST 800-88 Purge (ATA Secure Erase for SSDs) or NIST 800-88 Destroy (physical shredding) for high-sensitivity devices.

Penalty Structure for Violations

The DPDP Act 2023 sets a penalty schedule based on violation type:

ObligationSectionMaximum Penalty
Failure to erase data on device retirementSection 8(7)₹50 crore
Failure to implement security safeguardsSection 8(1)₹250 crore
Failure to notify breach (if improperly disposed device causes breach)Section 8(6)₹200 crore
Engaging unauthorized data processorsSection 66₹250 crore

These are not automatic penalties — they require a complaint or investigation. But the risk triggers are common: an OLX buyer who recovers data, a data breach notification to CERT-In, or a whistleblower complaint to the Data Protection Board.

How to Comply with Section 9 / Section 8(7) for IT Disposal

Step 1: Classify devices by data sensitivity

Before retirement, assess each device’s data classification:

  • Low: General-purpose workstations with no customer PII (NIST Clear is sufficient)
  • Medium: Devices with HR records, financial data, internal strategic documents (NIST Purge required)
  • High: Devices with customer PII, payment data, medical records, government data (NIST Destroy — physical shredding)

Step 2: Use a verified ITAD vendor

Engage an ITAD company that provides NIST 800-88 certified destruction. Verify their KSPCB authorization (legally required for physical device handling under E-Waste Rules 2022). In Kerala: EWaste Kochi, KSPCB authorization KL/EW/628.

Step 3: Obtain Certificate of Destruction per device

A compliant CoD must include:

  • Device make, model, serial number
  • NIST destruction level applied (Clear / Purge / Destroy)
  • Date of destruction
  • Authorized signatory of the ITAD company
  • Reference to the vendor’s KSPCB authorization

Step 4: Archive in DPO register

Store all CoDs, manifests, and declarations for a minimum of 3 years. Under Section 8(1), you must maintain “reasonable security safeguards” — the audit trail is part of the demonstration.

Intersection with E-Waste Rules 2022

Section 9 (DPDP Act) and Rule 13 (E-Waste Rules 2022) are separate obligations that both apply to IT disposal:

  • DPDP Act Section 9 / 8(7): Personal data must be permanently erased. Satisfied by NIST certified destruction.
  • E-Waste Rules 2022 Rule 13: Physical devices must go to KSPCB-authorized recyclers. Satisfied by engaging a KSPCB-authorized ITAD company.

Both can be satisfied simultaneously by a single engagement with an authorized ITAD vendor that provides NIST-certified data destruction.

Quick Compliance Checklist

  • Asset register updated with all retiring devices
  • Data sensitivity classified per device
  • ITAD vendor KSPCB authorization verified (KL/EW/XXX number + kspcb.kerala.gov.in check)
  • Data Processor Agreement signed with ITAD vendor
  • Devices handed over with asset manifest
  • Certificate of Destruction received per device serial number
  • DPDP Act Data Disposal Declaration received
  • All documents archived in DPO register (3+ years)

EWaste Kochi provides a complete DPDP Act Section 9 compliance package for Kerala companies: NIST 800-88 certified destruction, Certificate of Destruction per device, DPDP Act Data Disposal Declaration, and E-Waste Manifest — all in a single service engagement. Get your compliance quote.